-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmondoo-google-workspace-security.mql.yaml
264 lines (199 loc) · 11.8 KB
/
mondoo-google-workspace-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-google-workspace-security
name: Mondoo Google Workspace Security
version: 1.0.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: google-workspace,saas
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
The Mondoo Google Workspace Security policy ensures that Google Workspace configurations follow best security practices.
### Prerequisites
1. Create/Select a GCP project
2. Navigate to the [Google API Console](https://console.cloud.google.com/apis/dashboard).
3. Select \"Enable APIs and Services\" and enable the following APIs:
- Admin SDK API
- Cloud Identity API
- Google Calendar API
- Google Drive API
- Gmail API
- Google People API
4. Create a service account for [Google Workspace](https://support.google.com/a/answer/7378726?product_name=UnuFlow&hl=en&visit_id=638041387835615758-4147680582&rd=1&src=supportwidget0&hl=en)
5. Create credentials for the service account and download the json file
6. Enter the following scopes in Security -> Access and data controls -> API controls, and select [Domain-wide Delegation](https://developers.google.com/workspace/guides/create-credentials#delegate_domain-wide_authority_to_your_service_account)
- https://www.googleapis.com/auth/admin.chrome.printers.readonly
- https://www.googleapis.com/auth/admin.directory.customer.readonly
- https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
- https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
- https://www.googleapis.com/auth/admin.directory.domain.readonly
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.orgunit.readonly
- https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
- https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
- https://www.googleapis.com/auth/admin.directory.user.alias.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.userschema.readonly
- https://www.googleapis.com/auth/admin.reports.audit.readonly
- https://www.googleapis.com/auth/admin.reports.usage.readonly
- https://www.googleapis.com/auth/admin.directory.user.security
- https://www.googleapis.com/auth/cloud-identity.groups.readonly
### Run policy
To run this policy against a Google Workspace customer:
```bash
export GOOGLEWORKSPACE_CREDENTIALS=$PWD/my-project-123456-1234ea722b12.json
cnspec scan google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- filters: asset.platform == "google-workspace" || asset.platform == "googleworkspace"
checks:
- uid: mondoo-googleworkspace-security-less-secure-app-access-should-not-be-allowed
- uid: mondoo-googleworkspace-security-limit-super-admins
- uid: mondoo-googleworkspace-security-minimum-super-admins
- uid: mondoo-googleworkspace-security-super-admins-should-use-hardware-based-2fa
- uid: mondoo-googleworkspace-security-two-step-verification-enforced
queries:
- uid: mondoo-googleworkspace-security-two-step-verification-enforced
title: Ensure 2-step verification (multi-factor authentication) is enforced for all users
impact: 60
mql: googleworkspace.users.all ( isEnforcedIn2Sv == true )
docs:
desc: |
All user accounts should be protected with two-factor authentication. This enhances protection against account takeovers by attackers.
audit: |
Run one of these commands to see the enforcement and enrollment status of 2FA for all users:
__cnspec run__
To audit Google Workspace with `cnspec run`:
Run this query:
```bash
cnspec run google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL> -c "googleworkspace.users { fullName primaryEmail isEnforcedIn2Sv isEnrolledIn2Sv isAdmin }"
```
__cnspec shell__
To audit Google Workspace with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
```
2. Run this query:
```mql
googleworkspace.users { fullName primaryEmail isEnforcedIn2Sv isAdmin }
```
remediation: |
Make sure that all users have some form of two-factor authentication enabled. To learn about setting up two-factor authentication, read [Protect your business with 2-Step Verification] (https://support.google.com/a/answer/175197?hl=en#zippy=%2Cenforce--step-verification-for-administrators-and-key-users).
- uid: mondoo-googleworkspace-security-limit-super-admins
title: Ensure fewer than four users have super admin permissions
impact: 60
mql: googleworkspace.report.users.where(security["isSuperAdmin"] == true).length <= 4
docs:
desc: |
For larger organizations, it's useful to have several administrators to share the workload. Having more than 4 super admins, however, creates unnecessary risk.
audit: |
Run one of these commands to learn the number of admins:
__cnspec run__
To audit Google Workspace with `cnspec run`:
Run this query:
```bash
cnspec run google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL> -c "googleworkspace.users.where(isAdmin == true) { fullName primaryEmail }"
```
__cnspec shell__
To audit Google Workspace with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
```
2. Run this query:
```mql
googleworkspace.users.where(isAdmin == true) { fullName primaryEmail }
```
remediation: |
Adjust the number of users who have admin privileges to be between 2 and 4. To learn how, read [Admin roles for businesses](https://support.google.com/a/topic/9832445?hl=en&ref_topic=2785005) in the Google Workspace documentation.
- uid: mondoo-googleworkspace-security-minimum-super-admins
title: Ensure more than one user has super admin permissions
impact: 60
mql: googleworkspace.report.users.where(security["isSuperAdmin"] == true).length > 1
docs:
desc: |
Having more than one administrator account is especially important to avoid single points of failure.
audit: |
Run one of these commands to learn the number of admins:
__cnspec run__
To audit Google Workspace with `cnspec run`:
Run this query:
```bash
cnspec run google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL> -c "googleworkspace.users.where(isAdmin == true) { fullName primaryEmail }"
```
__cnspec shell__
To audit Google Workspace with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
```
2. Run this query:
```mql
googleworkspace.users.where(isAdmin == true) { fullName primaryEmail }
```
remediation: |
Adjust the number of users who have admin privileges to be between 2 and 4. To learn how, read [Admin roles for businesses](https://support.google.com/a/topic/9832445?hl=en&ref_topic=2785005) in the Google Workspace documentation.
- uid: mondoo-googleworkspace-security-less-secure-app-access-should-not-be-allowed
title: Users should not be allowed less secure app access
impact: 70
mql: googleworkspace.report.users.all(security["isLessSecureAppsAccessAllowed"] == false)
docs:
desc: |
Less secure apps do not use modern security standards like OAuth, which increases the risk of compromised accounts and devices. By locking down these apps and devices, you increase data safety.
audit: |
Run one of these commands to display all users which are allowed access to less secure apps. (This will return `[]` if there are none.):
__cnspec run__
To audit Google Workspace with `cnspec run`:
Run this query:
```bash
cnspec run google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL> -c "googleworkspace.report.users.where(security["isLessSecureAppsAccessAllowed"] != false) {fullName primaryEmail}"
```
__cnspec shell__
To audit Google Workspace with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
```
2. Run this query:
```mql
googleworkspace.report.users.where(security["isLessSecureAppsAccessAllowed"] != false) {fullName primaryEmail}
```
remediation: |
Make sure to block the usage of less secure apps in Google Workspace. To learn how, read [Control access to less secure apps](https://support.google.com/a/answer/6260879?hl=en) in the Google Workspace documentation.
- uid: mondoo-googleworkspace-security-super-admins-should-use-hardware-based-2fa
title: Super users should use hardware-based security keys
impact: 70
mql: googleworkspace.report.users.where(security["isSuperAdmin"] == true).all(security["numSecurityKeys"] >= 1)
docs:
desc: |
All user accounts should be protected with two-factor authentication. This enhances protection against account takeovers by attackers. Furthermore high-value accounts such as Super Admins should be protected by hardware-based security keys as their second factor. They should not rely on SMS verification, which is prone to SIM swapping attacks.
audit: |
Run one of these commands to see the enforcement and enrollment status of 2FA for all users:
__cnspec run__
To audit Google Workspace with `cnspec run`:
Run this query:
```bash
cnspec run google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL> -c "googleworkspace.report.users.where(security["isSuperAdmin"] == true) {security["numSecurityKeys"] userEmail}"
```
__cnspec shell__
To audit Google Workspace with `cnspec shell`:
1. Launch `cnspec shell`:
```bash
cnspec shell google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
```
2. Run this query:
```mql
googleworkspace.report.users.where(security["isSuperAdmin"] == true) {security["numSecurityKeys"] userEmail}
```
remediation: |
Make sure that all high-value targets such as Super Admins have some form of two-factor authentication enabled. Also make sure that they are using security keys for the 2-Step verification process. To learn about setting up security keys for the 2-Step verification process, read [Use a security key for 2-Step Verification] (https://support.google.com/accounts/answer/6103523?hl=En).